Security

The measures we take to ensure your data is safe and secure.

We firmly believe in “eating our own dog food.” Just as our customers use a variety of tools, processes and technologies to help secure and control their environment, we're doing much of the same here. Of course at the center of our vulnerability intelligence is our own instance of Risk I/O. While Risk I/O serves as the center piece of our vulnerability intelligence, we recognize the need for a defensive in-depth approach to our overall security architecture. We were founded by a former CISO after all.

Eating our own dog food is more than just a saying for a marketing document. Not only do we use Risk I/O to manage our vulnerabilities, we give our clients read access to our account. We understand the trust our customers place in our services and are committed to transparency in our controls.

Risk I/O Application Security

We employ a full suite of secure software development activities and controls. This starts with the design of our applications in a three-tiered Model View Controller architecture.

We carefully segment each of these technology layers via network and access controls. Within the code itself, our development teams leverage as many of the security functions that are made available by the Rails framework. All of our developers utilize the OWASP secure coding guide, cheat sheets and relevant technology specific guidelines such as the OWASP Rails Security Guide. Our code is tested via static analysis and black box scanning prior to being deployed to our production environment.

In addition to our secure development activities, Risk I/O deploys a number of controls to protect the confidentiality and integrity of our customers and their data. Some of these controls include but are not limited to:

Data at rest encrypted using AES 256

User passwords stored in one way salted hash

Centralized logging & alerting

All-network traffic encrypted via SSL and SSH

All application traffic over SSL/TLS

Three-tiered architecture/ compartmentalized & firewalled

Data Center Operations: Physical and Environmental Controls

Our data center operations provider maintains a SOC 2 certification which we can provide on request. This detailed report provides our customers with insight into the physical and environmental controls within the data center. ALL CUSTOMER DATA IS STORED WITHIN THIS FACILITY.

Risk I/O Design and Development

At Risk I/O we take the security and privacy of your data very seriously. We make every effort to help ensure that your data stays protected whenever you use our products or services. The summarized list shown below are some of the key ways that our Risk I/O service has been designed and developed to better protect your data.

Mandatory input validation for all untrusted inputs with a definable format, length, type and range. Otherwise, we mitigate risk with some other remediation depending on the risk (parameterized stored procedures, encoding, etc.)

Deployment

Builtin platform protection, in addition to implementation controls to reduce risk from common web-based threats, such as cross-site scripting attacks (XSS) and cross-site request forgery (CSRF)

Automatic session expiration after a certain period of inactivity

Firewall that restricts network access to only the necessary ports

Security Research and Disclosure Process

The Risk I/O bug bounty program is managed through Bugcrowd. To see the terms of the program and participate, go to https://bugcrowd.com/portal/bounties/riskio and sign up as a tester. You will need to accept the Risk I/O terms of service to engage in testing. If you have identified a vulnerability, please report it via Bugcrowd to be eligible for a reward.

Site Privacy Policy

As you browse Risk I/O, advertising cookies will be placed on your computer so that we can understand your interests. Our display advertising partners then enable us to present you with retargeting advertising on other sites based on your previous interaction with us. The techniques our partners employ do not collect personal information such as your name, email address, postal address or telephone number. You can turn off your cookies to prevent retargeting.

About
Risk I/O

Risk I/O is a software-as-a-service platform that correlates external Internet breach data, exploit data, and zero-day threat intelligence with internal vulnerability scan data and penetration testing data. Risk I/O processes over a billion vulnerabilities a day against Internet breach data for its users.